1

V2X Misbehavior and Collective Perception

Service: Considerations for Standardization
Mohammad Raashid Ansari, Jean-Philippe Monteuuis, Jonathan Petit, Cong Chen
Qualcomm Technologies, Inc.
Boxborough, MA, USA
{ransari,jmonteuu,petit,congchen}@qti.qualcomm.com

Abstract—Connected and Automated Vehicles (CAV) use

sensors and wireless communication to improve road safety RSU
and efficiency. However, attackers may target Vehicle-to-
Everything (V2X) communication. Indeed, an attacker may send
authenticated-but-wrong data to send false location information, Sensor-sharing
alert incorrect events or report a bogus object endangering other message
CAVs’ safety. Currently, Standardization Development Organi-
zations are working on developing security standards against
such attacks. Unfortunately, current standardization efforts do
not include misbehavior specifications for advanced V2X services Fig. 1: Collective Perception Scenario
such as Collective Perception (CP) yet. This work assesses the
security of CP Messages and proposes inputs for consideration
in existing standards. telematics awareness negatively. It has been shown that attacks
Index Terms—CAV, V2X, collective perception, misbehavior, on BSMs can have dramatic effects on V2X applications [3].
threat analysis, risk assessment, standards. To detect and protect against such attackers, a Misbehavior
Detection System (MBDS) must be deployed [4]. However,
very little research has been done on the security of CPMs.
I. I NTRODUCTION
In this paper, we summarize the results of a threat assessment
Vehicle-to-Everything (V2X) communication has the poten- (TA) on the Collective Perception Service (CPS) defined in
tial to tremendously improve vehicle safety technology to its ETSI Technical Report (TR) 103 562 [5] and ETSI Technical
next evolution. It enables V2X equipped vehicles to exchange Standard (TS) 103 324 [6]. We also identify gaps in the current
their telematics information to create awareness, especially standardization of CPS and MBDS and propose items for
in non-line-of-sight (NLoS) conditions. This is achieved by consideration.
broadcasting a message called Basic Safety Message (BSM), The paper is organized as follows. Section II presents the
or Cooperative Awareness Message (CAM). Both of these standardization and academic efforts in the domain of V2X CP
messages contain the same information (location and kine- and its security. Section III details the system model and the
matic state of the sender) but are defined in two different CPM. Section IV describes the attacker model considered in
standards. BSM is defined in the Society of Automotive our TA presented in Section V. Section VI discusses the open
Engineers (SAE) J2735 standard [1] and CAM is defined in challenges facing standardization and research to achieve a
the European Telecommunications Standards Institute (ETSI) secure CPS. Finally, Section VII concludes this paper.
European Standard (EN) 302 637-2 standard [2]. However, not
all objects on the road may be equipped with V2X capabil- II. R ELATED W ORK
ity (e.g., non-V2X vehicles, pedestrians, obstacles, animals).
This section provides an overview of functional and security
Therefore, a new service called Collective Perception Service
standards for CPM. Additionally, this section includes related
(CPS) has been created to allow sharing observations of such
academic work.
objects by sharing sensor data among V2X-enabled vehicles
about non-V2X objects on the road. Vehicles participating to
the CPS generate and consume a message called Collective A. Standardization
Perception Message (CPM) and is designed to complement In this section, we briefly introduce existing and ongoing
the BSM/CAM service. Henceforth, we will refer to both BSM standards from a functional and security perspective.
and CAM services as only CAM service. 1) Functional Standards: The notion of CP has been in-
CAMs and CPMs are supposed to be used to make driving troduced in the V2X community to share perceived scene
decisions by an operator and/or an automated driving system. information among V2X agents and smart infrastructures. As
Due to this reason, these services become safety-critical and a result, each V2X agent can enhance its detection capabil-
it is paramount that the information passed through these ities by considering the received information over the V2X
services is accurate. An attacker similar to the one discussed network about non-V2X objects, which are beyond its on-
in Section IV can send wrong data in order to affect receivers’ board sensor range but observed by V2X-equipped connected
 2

TABLE I: Status of MBD specification per message type

Connected and Automated Vehicle
V2X Message Misbehavior Detectors Status
BSM / CAM Specified Local Perception
Collective
DENM Specified Sensor 1 Sensorial Perception
CPM Specification is missing ... Local objects Application
CPM
Fusion
Sensor N

smart infrastructures or other V2X-enabled connected agents. Augmented Perception

Figure 1 shows a scenario where a vehicle detects vulnerable Cooperative
road users and share its sensor information with neighboring Description of
V2X elements V2X objects
Fusion
V2X Message
vehicles. Currently, several ongoing standardization initiatives (e.g., CAM, CPM, ...)
Data storage & validation
exist in:
• North America (SAE J3224 [7])
• Europe (ETSI TS 103 324 [6] / TR 103 562 [5])
Local Dynamic Map
(LDM)
• China (CSAE 157 [8])
Even though the standards above have the same purpose, Fig. 2: Collective Perception System [13]
each has its own specification, and thus, might have different
cybersecurity threats. In this work, we present our TA of TR
103 562 because it is publicly and freely available. objects are objects unable to use V2X communication to send
2) Security Standard: ETSI TS 103 759 [9] is a standard safety awareness messages. Finally, this list of connected and
under development that defines V2X MBD and reporting non-connected objects is stored in a Local Dynamic Map
activities for CAM and Decentralized Environmental Messages (LDM). The latter stores a virtual representation of the EV’s
(DENM). The supporting TR 103 460 [10] briefly mentioned surroundings based on received V2X data and EV’s sensors
the detection and reporting of CPM, but details are out-of- (e.g., Camera and GPS). Being able to receive CPMs has
scope of the version 1 of the TS. two benefits. Firstly, CVs without sensors can perceive non-
connected objects. Secondly, CVs with low-cost sensors may
B. Academic work have an improved perception thanks to higher-tier sensors
equipped on higher-tier CVs.
In [11], Allig et. al. investigated one attacker that forges
CPM content. The trustworthiness of CPM is then estimated
by assessing data consistency across a pair of entities (using B. Collective Perception Message Format
Bayes filter). The simulation shows promising results for Figure 3 shows the structure of a CPM. The greyed fields
detecting this attack and identifying the attacker. are optional; white fields are mandatory. CPM consists of an
Hadded et al., provided a security analysis of the PAC ITS Protocol Data Unit header and containers to include infor-
V2X project [12]. The security analysis covers several V2X mation about the transmitting station, its sensory capabilities,
applications and V2X messages, including CPM. However, perceived objects and perceived free space.
their security analysis of CPM is superficial, considering only The StationDataContainer and the ManagementContainer
two attacks. Our work extended this analysis with 16 attacks provide information about the sending station, such as its po-
that cover different aspects of CPM and CPS. sition and heading. The SensorInformationContainer includes
details about the onboard sensors of the sending station, such
III. S YSTEM M ODEL as their identifier, range, and aperture angles. In addition, the
PerceivedObjectContainer lists relevant objects sensed by the
This section provides a system overview, presenting the
sending station, including their distance from the reporter,
overall collective perception system used by a Connected
speed, dimensions, and other data. Finally, the FreeSpaceAd-
Automated Vehicle (CAV), the CPM format, the authentication
dendumContainer lists areas that are unoccupied by an object.
of CPMs, and some V2X applications consuming CPMs.
It includes the identifier and list of points to denote the free
space. A receiver calculates the free space area using simple
A. Collective Perception System ray-tracing. In addition, the FreeSpaceAddendumContainer
As seen in Figure 2, sensor data sharing requires a CP can contain the identifiers of sensors linked to the sensor
system based on V2X communication and local sensors (e.g., identifiers in SensorInformationContainer.
camera, RADAR, LiDAR). A CPS relies on transmission and Another important aspect is the transmission rate of CPMs.
reception of CPMs by CAVs. Before transmitting a CPM, a Since the frequency band dedicated to V2X communication
CAV fuses each sensor’s output and generates the CPM con- is scarce, it is important to adapt the generation rate and
taining the fused output. After receiving a CPM, the collective the included objects in the CPMs appropriately to achieve
perception system fuses the CPM’s data and sensorial objects. a good trade-off between telematics awareness and channel
This process, named Cooperative Fusion, results in a list load. Thereby, preventing channel congestion and a decreased
of connected and non-connected objects. Connected objects performance of V2X communication. The CPM generation
are connected vehicles (CVs) transmitting safety awareness rules currently discussed at ETSI are based on the dynamic
messages (e.g., CAM) to the ego-vehicle (EV). Non-connected properties of the detected objects. If the object’s dynamic state
 3

Fig. 3: ETSI Collective Perception Message Format

has changed in a way that would trigger the generation of a profit and, hence, is more predictable in terms of attack means
CAM by this object, it is then included in the next CPM [14]. and attack target.
Highly dynamic objects are therefore more often included in Active versus Passive: An active attacker can generate
transmitted CPMs than slow or static objects. packets or signals to perform the attack, whereas a passive
attacker only eavesdrops the communication channel (i.e.,
C. Authentication of CPMs wireless or in-vehicle wired network).
The CPS specification includes security requirements such Local versus Extended: An attacker can be limited in scope,
as CPM’s integrity, and transmitter’s authenticity. Following even if she controls several entities (vehicles or base stations),
the IEEE 1609.2 [15], message’s integrity and transmitter’s which make her local. An extended attacker controls several
authenticity are ensured by digitally signing every CPM sent. entities that are scattered across the network, thus extending
Receivers use the transmitter’s public key contained in the her scope.
certificate to verify the digital signature attached to the CPM. Direct versus Indirect: A direct attacker reaches its primary
This forces the attacker to have valid credentials to perform target directly, whereas an indirect attacker reaches its primary
attacks on CPMs. target through secondary targets. For instance, an indirect
attacker may compromise a CPM through a sensor attack.
Figure 4 shows an example of attack on an EEBL appli-
D. V2X Applications
cation that uses CPM. This example assumes that the dark
V2X applications rely on V2X messages as an input to warn vehicle fuses its onboard sensors and V2X with equal weight.
the driver or to control the vehicle dynamics to avoid road When detecting conflicting information, it goes in fail-safe
hazard or improving gas consumption. Several safety critical mode. As a first step, an attacker (white vehicle) generates
V2X applications would benefit from using CPM [16]: multiple ghost vehicles (light gray) at specific locations [17].
• Intersection Collision Warning (ICW) Then (step 2), the attacker sends a fake BSM/DENM claiming
• Emergency Electronic Brake Lights (EEBL) an emergency brake along with the CPM reporting a sta-
• Mobile Accessible Pedestrian Signal System (MAPSS) tionary (ghost) vehicle ahead. Finally (step 3), the dark gray
• Pedestrian in Signalized Crosswalk Warning (PSCW) vehicle detects inconsistencies between its sensor readings
• Blind Merge Warning (BMW) and the received information, thus triggering fail-safe mode.
For example, EEBL would benefit from richer information This example demonstrates the importance of assessing data
about the location and cause of the event to enhance EV’s trustworthiness and detecting attacks.
reaction. From a standard perspective, these cross-application
functionalities are unspecified yet. V. T HREAT A SSESSMENT
A. Methodology
IV. ATTACKER M ODEL
Several methodologies assess the risk level for an attack.
To facilitate the TA, we formalize the attacker model
For example, attack trees were used to formalize attacks on
following the classification proposed in [17].
V2V communication [18]. However, in our context, the large
Internal versus External: The internal attacker is an authen-
ticated member of the network that can communicate with
other members. The external attacker cannot properly sign her
messages, which limits the diversity of attacks. Nevertheless, EEBL CPM
1 2 3
she can eavesdrop the V2X broadcast communication.
Malicious versus Rational: A malicious attacker seeks no ?
personal benefits from the attacks, and aims to harm the
members or the functionality of the network. Hence, she may
employ any means disregarding corresponding costs and con-
sequences. On the contrary, a rational attacker seeks personal Fig. 4: Attacking EEBL using malicious CPM
 4

TABLE II: Risk ratings and criteria [12] only their location information. Another attack on this field
Criteria High Medium Low is a remote blinding of sensors [19]. In the latter case, the
The attack is reporting vehicle (i.e., sender of CPM) isn’t misbehaving, but
hard to
The attack is
The attack is
reproduce due
is the target of an attack. However, a MBDS could detect
reproducible that the target should have reported the missing objects, and
Reproducibility easily to its
with some
reproducible complexity or hence be classified as misbehaving. This example shows the
limitations
operational
cost.
complexity of designing robust MBDS for CPMs.
The attack The attack
infects the infects the The attack has
system and system and no impacts on C. Conclusion
Impact can lead to can lead to the system but
catastrophic moderate can inflict
Most attacks have high reproducibility (only one has a
damage (e.g., damage (e.g., minor harm medium rating) since they do not require special hardware
an accident) traffic jam) to perform the attack. The impact of 3 out of all attacks in
The attack Tables III and IV have high impact rating since they have the
needs several
Broadcasted potential to put the lives of drivers and pedestrians in jeopardy.
Unknown misbehavior
information
Stealthiness
attack occurs detectors,
readily explain Lastly, these attacks are lowly rated for stealthiness as the
in certain message attacker would be exposing its certificate in the malicious
the
applications types, or data
misbehavior messages and can be easily detected if the suggested defenses
sources to be
detected for each attacks are applied.
Although the attacks we developed have high reproducibility
and impact, we have suggested defense mechanisms that
number of attacks makes the trees too large and unwieldy. should be able to detect such attacks and help report the
Therefore, our methodology follows a matrix approach based malicious actors. These defense mechanisms mainly require
on three criteria: reproducibility, impact, and stealthiness (see redundant information from other honest actors surrounding
Table II). The attack reproducibility aims to assess the level the target vehicle or redundant sensors on the target vehicle.
of ease to replicate the attack. The impact measures how However, as discussed in Section VI, the functional standards
impactful the attack can be on the victim’s car and its sur- are focusing on redundancy mitigation techniques to reduce
rounding vehicles (i.e., criticality and scalability). The attack channel load. Thus, the defense mechanisms can only be
stealthiness assesses the ease by which a driver or a system practically applied if the standards allow room for redundant
can detect it. Accordingly, we assess the overall risk level for information.
each threat based on the majority rating among the criteria.
For attacks that have all three (High, Medium, Low) ratings
VI. D ISCUSSION
in the criteria, the overall rating is taken as Medium.
In this section, we propose standard-related directions to
address some of the security gaps identified by the TA.
B. Summary
We performed a TA of the ETSI TR 103 562 [5], identifying
16 attacks. Out of the 16 attacks, 13 linked to the TR, and 3 A. Misbehavior Detectors and Reporting
were agnostic to the standards. As a result, we found two high, ETSI TR 103 460 and TS 103 759 list a set of misbehavior
six medium, and eight low risk attacks. detectors for CAM. Currently, the TS draft does not specify
Although there are more number of medium and low risk detectors for the CPM, leaving that for a future version.
attacks, some attacks are very easily reproducible and some However, we can assume that detectors (designed for CAM)
have the capability of very high impact to the CPS. We present will be applicable to CPM too. For instance, in TR 103 460,
our analysis in Tables III and IV. the detector, named implausible speed, will be the same for
As described in Section IV, the attacker model considered both CPM and CAM.
has the ability to modify all of the CPM’s containers with any Additional detectors specific to CPM will be needed though.
desired value. A potential detector could use SensorInformationContainer to
One attack on SensorInformationContainer considers sen- detect fake perceived objects. Indeed, an attacker can generate
sors that can only detect objects until 100 meters but the randomly positioned perceived objects in the PerceivedObject-
attacker modifies that value to 200 meters and reports objects Container. A detector should verify if each perceived object is
at 190 meters. This information is evidently false, but a within the sensory perception area. A perceived object outside
receiver can’t corroborate such information individually. the sensor perception area should not have been detected
One attack on FreeSpaceArea is an attacker that falsifies a by the sensor, and thus, most likely does not exist. In a
free space where an object is present. The receiving vehicle similar fashion, a CPM detector could verify if two CPMs
would only be able to corroborate against this information by from different senders are consistent. For instance, a perceived
coming in line-of-sight (LoS) of the claimed free space. object within the perceived area of vehicle A and vehicle B
One attack on PerceivedObjectContainer is when an at- should be part of the CPM sent by vehicle B. This observation
tacker creates fake perceived objects by copying values of could mean vehicle A have inserted a fake perceived object or
other perceived objects (received via CPMs) and modifying vehicle B suppressed the perceived object. Thus, an absence
 5

of consistency between the two CPMs may increase at least VII. C ONCLUSION
the suspicious level for both reporting vehicles. CPS offers to V2X-equipped vehicles the ability to ex-
After being detected, a misbehavior report (MBR) may be change richer data to improve further their telematics aware-
generated and sent to authorities for further investigation. The ness and safety. However, the security of CPM is mandatory
ASN.1 definition specified in TS 103 759 should be flexible to guarantee quality data. Standardization efforts of CPS and
enough to allow for CPM detectors. V2X MBD (separately) are ongoing worldwide, but misbehav-
ior protection in CPS still has to be addressed. In this paper,
we provided a summary of a TA done on ETSI TR 103 562,
B. Tension between redundancy mitigation and MBD which identified 16 attacks with mainly low to medium risk
level. From this assessment, we proposed four work items for
If multiple stations perceive the same (physical) object,
consideration in ongoing standardization efforts. We hope this
redundant and unnecessary frequent updates about that object
work could serve as a starting point to tackle the question of
will be broadcast, thereby increasing the network channel
CPS security by standard organizations and regulators.
load. To address this issue, ETSI CPS defined redundancy
mitigation rules. These can be frequency-based, dynamics-
R EFERENCES
based, or confidence-based, and triggered when the observed
[1] SAE, “V2x communications message set dictionary,” J2735, 2020.
channel busy ratio is higher than a predefined threshold [5]. [2] ETSI, “Intelligent Transport Systems (ITS); Vehicular Communications;
However, as noted earlier, the redundancy can be useful to Basic Set of Applications; Part 2: Specification of Cooperative Aware-
detect misbehaviors. An interesting work item could be to ness Basic Service,” EN 103 637-2, 2014.
[3] J.-P. Monteuuis, J. Petit, J. Zhang, H. Labiod, S. Mafrica, and A. Servel,
study this trade-off, and define an approach to balance between ““my autonomous car is an elephant”: A machine learning based detector
redundancy and channel congestion. for implausible dimension,” in Security of Smart Cities, Industrial
Control System and Communications (SSIC). IEEE, 2018.
[4] J. Petit, R. Ansari, and C. Chen. (2020) Misbehavior Detection for
V2X communication. DEFCON 28 Car Hacking Village. [Online].
C. Use of CPM as data source for V2X MBD (and vice versa) Available: https://www.youtube.com/watch?v=xTaksVG9Qi4
[5] ETSI, “Intelligent transport systems (its); vehicular communications;
It can be tempting to use CPM as data source to detect basic set of applications; analysis of the collective perception service
malicious CAM (or to use CAM to detect malicious CPM). (cps); release 2,” ETSI TR 103 562, 2019.
[6] ——, “Intelligent transport system (its); vehicular communications;
For instance, a perceived and connected object in a CPM basic set of applications; specification of the collective perception
may have sent CAM information that are consistent with the service,” ETSI TS 103 324, 2021.
corresponding CPM. However, the use of other message is [7] SAE, “V2x sensor-sharing for cooperative & automated driving,” SAE
J3224, 2019.
not trivial because the CAM and the CPM are received at [8] C. S. of Automotive Engineers, “Cooperative intelligent transportation
different moment in time. A motion prediction algorithm (e.g., system vehicular communication application layer specification and data
Kalman Filter) could tackle this issue. However, the standard exchange standard (phase 2),” CSAE 157, 2020.
[9] ETSI, “Intelligent transport systems (its); security; misbehaviour report-
should make clear if all vehicle shall use the same prediction ing service,” ETSI TS 103759, 2021.
algorithm, and shall provide the temporally synchronized BSM [10] ——, “Intelligent transport systems (its); security; pre-standardization
and CPM in the corresponding MBR. The specification of this study on misbehaviour detection; release 2,” ETSI TR 103 460, 2020.
[11] C. Allig, T. Leinmüller, P. Mittal, and G. Wanielik, “Trustworthiness
approach might impact the ASN.1 definition of the MBR. estimation of entities within collective perception,” in IEEE Vehicular
To further improve the CPMs’ trustworthiness and prevent Networking Conference (VNC), 2019.
attacks on SensorInformationContainer is could be useful to [12] M. Hadded, P. Merdrignac, S. Duhamel, and O. Shagdar, “Security
attacks impact for collective perception based roadside assistance: A
extend the IEEE 1609.2 certificate format to include EV’s study of a highway on-ramp merging case,” in International Wireless
capabilities. This would allow for (authenticated) attestation Communications and Mobile Computing (IWCMC), 2020.
of sensing capabilities. [13] P. Merdrignac, O. Shagdar, S. Tohmé, and J. Franchineau, “Augmented
perception by v2x communication for safety of autonomous and non-
autonomous vehicles,” 7th Transport Research Arena TRA, 2018.
[14] I. Llatser, T. Michalke, M. Dolgov, F. Wildschütte, and H. Fuchs,
D. Misbehavior Detection for sensors and fusion “Cooperative automated driving use cases for 5g v2x communication,”
in IEEE 2nd 5G World Forum (5GWF), 2019, pp. 120–125.
[15] IEEE, “Standard for wireless access in vehicular environments–security
The V2X module of a CAV assumes trustworthy sensor services for applications and management messages,” Std 1609.2, 2016.
data. This assumption is strong as attacks on automotive [16] “The future of v2x: 30 mhz application map we-
RADAR, LiDAR, and camera have been demonstrated [19]. binar,” Mar 2021. [Online]. Available: https://itsa.org/event/
the-future-of-v2x-30-mhz-application-map-webinar/
As highlighted in Tables III and IV, a MBDS using local sen- [17] J.-P. Monteuuis, J. Petit, J. Zhang, H. Labiod, S. Mafrica, and A. Servel,
sors cannot ensure the plausibility of a CPM content. Indeed, “Attacker model for connected and automated vehicles,” in ACM Com-
if sensors can be fooled or jammed by an external attacker, puter Science in Car Symposium, 2018.
[18] J.-P. Monteuuis, A. Boudguiga, J. Zhang, H. Labiod, A. Servel, and
then sensors cannot be a reliable data source for a MBDS. P. Urien, “Sara: Security automotive risk analysis method,” in 4th ACM
Standardizing misbehavior detectors for sensor will allow a Workshop on Cyber-Physical System Security, 2018.
transmitter to insert trusted sensor data in a CPM before its [19] J. Petit and S. E. Shladover, “Potential cyberattacks on automated vehi-
cles,” IEEE Transactions on Intelligent transportation systems, 2014.
transmission. For instance, a machine learning module could [20] B. Nassi, D. Nassi, R. Ben-Netanel, Y. Mirsky, O. Drokin, and Y. Elovici,
verify if the object detected by a sensor has a plausible location “Phantom of the adas: Phantom attacks on driver-assistance systems.”
and motion [20]. Such standardization effort could happen in IACR Cryptol. ePrint Arch., 2020.
the ISO TC22 SC32 committee as part of the future ISO 5083.
 6

TABLE III: Threat analysis of use-cases from ETSI TS 103

324
Ref. Use Case Attacks Defense Risk
A ObjectID is assigned to Attacker generates only track relevant ob- Low.
each detected remote enough objects to exceed jects. Use noise cancel- Reproducibility:
V2X object by the the number of trackable lation techniques to filter Medium. Generating
transmitter objects out transient attacks (sim- large number of objects
ilar to RADAR process- and transmitting them
ing). over multiple CPMs will
require high processing
power.
Impact: Low. Other
remote V2X objects may
report the objects missed
by ego V2X object.
Stealthiness: Low.
Attacker is detectable
through its certificate in
CPM.
B Attacker spoofs objects Objects don’t change in Medium.
such that transmitter size, if that is looked Reproducibility:
associates the spoofed for in change, this attack Medium. The attacker
object with previously may be detected needs to be the first
transmitted ObjectID one to transmit a CPM
with the ObjectID of
interest. This is not
always possible due
to inherent congestion
control mechanisms in
wireless networks.
Impact: Medium. Al-
though the ObjectID of
interest is spoofed, the
real object may be as-
signed a new one. This
may cause that object to
be reported by others as
malicious, raising many
false positives in the re-
vocation system.
Stealthiness: Low. All
receivers will know who
transmitted the false in-
formation since CPM is
broadcasted to all re-
ceivers in range.
 7

TABLE III: Threat analysis of use-cases from ETSI TS 103

324 (continued)
Ref. Use Case Attacks Defense Risk
C Receiver should listen for Attacker starts transmis- Detect such energy blast Medium.
1 second (at least) to re- sion between this 1 sec- as spectrum misbehavior Reproducibility:
ceive all objects in Per- ond. Medium. The attacker
ceivedObjectContainer would need special
hardware (such as a
software defined radio)
to be able to circumvent
congestion control
mechanisms of the
lower layers in wireless
communication.
Impact: Medium. The
receiver will only be able
to receive partial infor-
mation but no malicious
information since the at-
tacker is only disrupting
the connection between
the two original commu-
nicating stations.
Stealthiness: Low. The
attacker can be identi-
fied through the certifi-
cates in its messages.
If the attacker is trans-
mitting bogus informa-
tion, triangulation tech-
niques on the transmit-
ter’s energy source may
be used to pin-point the
attacker.
D Objects are classified as Put up mannequins to be None needed Low.
Person/Animal or other detected as person/animal Reproducibility: Low.
Attacker needs to bring
mannequins on the road.
Impact: Low.
Mannequins may still be
detected as objects. Even
if they are detected as
a person, vehicles will
know their presence and
act accordingly.
Stealthiness: Low.
Attacker would have to
be physically present
to put and move
mannequins.
 8

TABLE III: Threat analysis of use-cases from ETSI TS 103

324 (continued)
Ref. Use Case Attacks Defense Risk
E If classified object is not Attacker uses obscure Rely more on lidar and Medium.
a person or animal esti- painting techniques to infer heading by analyz- Reproducibility: Low.
mated orientation change confuse the camera about ing movement Attacker needs to know
> 4 degrees its heading the painting techniques
that may fool camera,
lidar and radar systems
altogether.
Impact: Medium.
Camera may get fooled
due to optical illusions
created by the paintings
but lidar and radar will
not have any effect on
their performance.
Stealthiness: Low.
The obscurely painted
vehicle will be physically
recognizable.
F If classified object is a Attacker puts a moving Such an ”object” will still Low.
person or animal seen 1st mannequin/scarecrow on be reported in a CPM so Reproducibility: Low.
time wheels to move as fast as it should not affect the Attacker needs to bring
a small scooter. system so much. mannequins on the road.
Impact: Low.
Mannequins may still be
detected as objects. Even
if they are detected as
a person, vehicles will
know their presence and
act accordingly.
Stealthiness: Low.
Attacker would have to
be physically present
to put and move
mannequins.
G If classified object is a Attacker jumps in and out None needed Low.
person or animal if even of LoS to make vehicle Reproducibility: Low.
one person/animal was re-transmit everyone, us- Attacker needs to be
not in CPM since 500ms, ing up resources physically present and
all person and animal perform movements
object have to be in- at the right time to
cluded in currently gen- affect enough number
erated CPM of transmitting V2X
objects.
Impact: Low. Attacker’s
movement may still
be missed if there are
many people around the
attacker.
Stealthiness: Low.
Attacker will be
physically present
and recognizable.
 9

TABLE III: Threat analysis of use-cases from ETSI TS 103

324 (continued)
Ref. Use Case Attacks Defense Risk
H Sensor Information Con- Report object at 100m Correlate with multiple High.
tainer can contain sen- whereas it is at 10m or vehicle’s information Reproducibility: High.
sor capability of receiv- 200m A man-in-the-middle
ing V2X object. attacker can encode
different values than
reality into the Sensor-
InformationContainer
before signing and
transmitting.
Impact: High. If an ob-
ject is spoofed to be sud-
denly in front of another
vehicle. It may cause sud-
den reactions by the vehi-
cle system, causing colli-
sions.
Stealthiness: Medium. A
quick check with on-
board sensors should re-
veal anomaly in CPM in-
formation.
I Report 1m capability and None needed Low.
report object at 5000m Reproducibility: High.
An attacker with man-
in-the-middle capability
should be able to modify
message contents for this
attack.
Impact: Low. A simple
check against capability
of the sensor should
reveal the inconsistency.
Stealthiness: Low.
Attacker will have to
transmit this in its own
CPM and hence will be
recognizable through its
certificate.
 10

TABLE III: Threat analysis of use-cases from ETSI TS 103

324 (continued)
Ref. Use Case Attacks Defense Risk
K ConfirmedFreeSpace cal- Send wrong Confirmed- None needed Medium.
culation MAY be in- FreeSpace to make re- Reproducibility: High.
cluded and calculated us- ceiver believe of free An attacker with man-
ing ray tracing and shad- space in-the-middle capability
owing will be able to modify
message contents for this
attack.
Impact: Medium. If
a transmitting V2X
object wants to make a
maneuver based on the
free space, it will not
be able to do so. Hence,
the attacker would be
successful in hindering
the transmitting V2X
objects’ operation.
Stealthiness: Medium.
If the transmitting V2X
object eventually comes
to a position where it
is able to see its area
of interest directly, it
will be able to detect
the attack and recognize
the attacker through its
certificate.
 11

TABLE III: Threat analysis of use-cases from ETSI TS 103

324 (continued)
Ref. Use Case Attacks Defense Risk
L Blinding lidar and cam- Image processing to de- Medium.
era using lasers tect camera blinding. For Reproducibility: Low.
LIDAR, we need en- Modifying radar or
coded pulse. Out of scope lidar pulses requires
for AMPS-V2X. sophisticated hardware
that understands the
signal quickly to modify
them meaningfully. Cost
of the hardware may also
be a concern.
Impact: High. LIDAR
is a highly relied upon
system for object detec-
tion due to its preci-
sion. RADAR is highly
relied upon by ACC sys-
tems due to its sensi-
tivity to change in dis-
tance. Hence, the impact
of blinding these systems
may have catastrophic ef-
fects on the whole stack
of an autonomous driving
system.
Stealthiness: Medium.
These attacks do not
require the attacker
to reveal its identity,
making the attacker
extremely hard to find.
Although the attack itself
is detectable as a sort
of DoS on LIDAR and
RADAR.
M CPM should be generated Attacker performs DoS Observe too many CPM Low.
within 50ms (generation of CPM (or too few) Reproducibility:
time = CPM generation Low. Attacker needs
trigger - CPM handoff specialized hardware
to Network & Transport with enough computation
layer) power to generate
substantially large CPMs
quickly.
Impact: Medium.
The channel may
get congested due to
this attack starving
communication resources
for CPS.
Stealthiness: Low.
Transmitting V2X
objects will be able to
recognize the attacker
through the certificates
in its CPMs.
 12

TABLE III: Threat analysis of use-cases from ETSI TS 103

324 (continued)
Ref. Use Case Attacks Defense Risk
N Attacker blasts energy at Report such an abnormal Medium
the time when a new energy blast for physical Reproducibility:
CPM is about be gener- inspection Medium. An attacker
ated to interfere with ref- with high energy
erence position determi- producing device can
nation using GPS perform this kind of
attack. However, the
attacker would need to
synchronize the attack
with CPM generation by
the target, which might
be difficult to achieve.
Impact: High. All sur-
rounding vehicles may be
affected by such energy
bursts, bringing the com-
munication infrastructure
for CPS to a halt.
Stealthiness: Low. High
energy bursts can be eas-
ily detected by receivers
as they already do so for
any message they receive.

TABLE IV: Threat analysis of use-cases agnostic to standards

Ref. Use Case Attacks Defense Risk
A RSU will not transmit Transmit CAMs for other The vehicle is already Low. The impact of this
CPM for vehicles that objects to make them dis- aware of all the surround- attack is very low.
they have received a appear from CPM (falsify ing objects Reproducibility:
CAM from telematic information to Medium. Attacker
match that of the other will have to use its own
object) certificates for CAMs of
transmitting V2X object.
Impact: Low. Other
vehicles will still
know the presence
of transmitting V2X
object, hence this attack
will only save the
network bandwidth and
not attack it.
Stealthiness: Medium.
Receiving V2X objects
may not be able to infer
location of attacker but
global V2X systems like
a misbehavior authority
may be able to do
so by looking at any
reported certificates in
misbehavior reports.
 13

TABLE IV: Threat analysis of use-cases agnostic to standards

(continued)
Ref. Use Case Attacks Defense Risk
B Objects are reported with Attacker can target time Make sure the connection Low.
a time offset based on synchronization attack to to clock sync servers is Reproducibility: Low.
synchronization with a offset generation time so secured Accessing a secure time
time clock that the receiver thinks server will require high-
a reported object is far- level physical access.
ther/closer than real posi- These time servers are
tion or spoof speed etc. usually well protected
against web-based
attacks as well.
Impact: High. Loss of
time synchronization will
cause most applications
and time-distance based
calculations to work
falsely.
Stealthiness: Low. Only
a security analysis of the
time server may uncover
any malicious activity.
C Moving box with the size No real threat with this Low.
of a car/truck on wheels attack since a truck-sized Reproducibility: Low.
box is also physically de- Attacker needs a lot of
tectable equipment to build huge
boxes to represent a
truck.
Impact: Low. The box
will still be detected
as an object and hence
vehicles will be able to
maneuver accordingly.
Stealthiness: Medium.
If a box is able to fool
transmitting V2X object
as being a truck, it is
still a relatively stealthy
attack.